Cookies in Set-Cookie are being ignored by browser
Question
I do have a problem with setting cookies. I'm running a small application on Azure Functions and a static webpage as frontend, and on the login request my function properly returns a cookie in the response. Here is the whole set of response headers coming from my Azure function.
HTTP/1.1 200 OK
Date: Sun, 11 Oct 2020 20:40:16 GMT
Content-Type: application/json; charset=utf-8
Server: Kestrel
Content-Length: 180
Set-Cookie: RefreshToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJVc2VyTmFtZSI6IlNvc3NlbmJpbmRlciIsImV4cCI6IjYzNzM4MDQ2NTE3MTM3NjE4NCJ9.CCv3a41iPut4eC9jK2eqAzOLP5tWLjMlRgduSkUpS40; expires=Mon, 11 Oct 2021 20:40:17 GMT; path=/; samesite=lax
Set-Cookie: Test=Val; path=/
Access-Control-Expose-Headers: Set-Cookie
As you can see, I included my proper token, as well as just a small test cookie, just to verify whether it would even work with a very simple cookie. Hint, it doesn't.
Here is my request:
Sadly, whatever I try, chrome and eg firefox completely ignore my cookies. I didn't yet manage to have a single cookie set, no matter what I try.
I tried it on localhost as well as a *.web.core.windows.net static website now, but I just can't get it to work.
I think my backend is not the culprit, as the response headers seem to be set properly. But something just isn't quite right. I have read up on a lot of threads now mentioning what should be set and what not, I've probably tried them all now. Whether it is the secure flag, the samesite flag, whatever.
What am I missing here?
EDIT: I added a minimal reproducible example at http://www.filedropper.com/cookieproblem
To run:
Navigate to the "CookieProblem" folder containing the CookieProblem.csproj. Open up cmd and run it with "func start" (requires Azure Functions CLI tool)
Now, run the BlazorApp1 in VS. Open the page and keep dev tools open. On load, it should make a request to the locally running function called "Run" in the network tab.
It should now also not set a cookie for you.
1 answers
solution1
1 ACCPTED 2020-10-13 20:39:33
Okay, this problem has caused me SO much frustration. I was tinkering around in my minified solution for a while and added a basic website with the fetch() functionality, because I wanted to know whether this is due to Blazor.
So, with the fetch() code it is important to add the credentials: 'include' parameter. After doing this, everything worked.
Well, after that I spend a good share of time googling how to do this for C#'s HttpClient . The solution is to use an HttpRequestMessage and set requestMessage.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
Also, on server side you should make sure to configure your eg local.settings.json accordingly to have "CORS" and "CORSCredentials" set n the "Host" subsection of the Json (In my example this is for an Azure Function project, this might be different for you).
That's it. Now CORS cookies work. What a ride finding this one line of code...
EDIT:
Here's an example of my local.settings.json file:
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet"
},
"Host": {
"LocalHttpPort": 7071,
"CORS": "https://localhost:5001",
"CORSCredentials": true
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.